[psanford]

Neat! An HSM sounds like way overkill for a developer machine, but I could see that being useful for other use cases.

The TPM is a good option because every non-Mac ships with one already (and there are similar facilities available on macs).

[timmattison]

In this case it was a Zymbit Zymkey 4i which contains a secure element with a bunch of additional functionality (tamper detection, etc) and works with a Raspberry Pi. Now I’m wondering how easily it could be adapted for use on a laptop with a TPM…

[psanford]

If you are looking for some references besides my linked code, this comment[0] on the tpm2-tools repo will probably be useful. FWIW, I've moved my workflow over to having long lived aws keys protected by my TPM and then I generate session credentials from that for normal aws cli usage.

[0]: https://github.com/tpm2-software/tpm2-tools/issues/1597#issu...